Screwdrivers, Napster and other dangerous objects

With all of the recent churning issues such as DVD/Music/IP 'piracy' via
'illegal' software (DeCSS,
Napster, cphack);
Source Code as Free
Speech
court decision, possible Melissa/911/etc virii
lawsuits/prosecutions,
UCITA laws
passing, anti-reverse engineering, patents and other sundy lawsuits, the
question of how open source programmers can or even should look toward
the application of code they write is raised.

Let's create a fictitious example, so as not to harm or point to anyone
in particular:

Example:

Johnny_Minor, a fictional script_kiddie

mmap, a fictional piece of software authored by

Larry Ceiling, a fictional open source author

Irrita Bill Gashines, aka IBG, a fictional international
company with loads of fictional lawyers, some of them even honest
lawyers
(hey, I did say fictional)

Now, how does the screwdriver fit in? These days, if you are walking
along and are picked up (or even searched) for anything at all
(jaywalking?), it's entirely possible for that screwdriver (or pocket
knife or whatever) in your back pocket to be called a burglar tool.
It's no lock pick, it's just a standard hardware store screwdriver, but
in
theeyes of the law, it's a tool that can be used for crime.

Now imagine the possiblities of mmap! It's a handy dandy network tool.
It slice and dices, it zips, gzips, bzips, and tars. Now how much would
you pay for it? But wait folks, it does more... it ftps, telnets, email
and ircs. Now how much would you pay? Act now, and we'll throw in a
cracklib, a portscanner and an orange peeler. And call in the next 15
minutes and say that Linus sent you and we'll throw in the source code!
Act fast, the site will be slashdotted soon!

Johnny_Minor gets hold of mmap, and uses it in a "bad" way on IBG.
(yes, we all saw it coming, even as he downloaded it..)

IBG discovers that Johnny has money, or maybe his parents have money, or
hey, Larry has money, or maybe Larry's employer has money, or Larry's
web provider has money, or maybe
http://www.2699.com which provided a
link
which Johnny followed, etc etc....... (and Yes, with sites getting sued
over illegal auctions/links/content, this might well happen one day...)
Look at lawsuits with gun makers, tobacco companies, and so on....
As software companies become worth billions, expect more lawsuits....

If Larry sees that mmap can be used for 'wrong,' does he have to do
anything about it? Does he have to even acknowledge the possiblity of
it? If his source code has sections commented, even commented out, or if
his
CVS has old code that does 'bad things,' can he be held accountable?

Suppose that in one country it's illegal, and another it's legal... but
Larry lives in one and Johnny another. It's happened... and the results
aren't pretty.

Is the GPL, BSD, or other license enough to make someone held harmless,
and where is that line drawn? If the source code is modified at all,
are you safe? If source code is free speech, can you write "Hello
World,
FIRE IN THE THEATER!" so long as you don't compile it?

Making money is no longer an issue, thanks to the DMCA. Thanks to
UCITA. Thanks to
lawyers and judges who treat screwdrivers like
lockpicks and
treat software like crowbars.

Even among software professionals, we talk about white hats, black hats,
grey hats, not to mention Red
Hats.... If someone is a black hat, and
released software with seemingly only 'bad' uses, ( BO2K comes to mind)
and white hats find it useful, doesn't that seem to say that software is
neutral, it's in how it's used that the problem lay?

I'm personally interested because some stuff I'm working on has the
potential of being used in infinite ways and I don't want to limit usage
or avoid writing code, or any number of 'protective' things just because
someone someplace can't figure that hot coffee is really hot. And
besides which, one person's illegal activity is another person's fight
for freedom. Free Code is Free Speech, but what about countries without
either?

I don't claim to have answers, this is meant to be start of what I hope
will be an interesting discussion...

Let's get it said right up front: IANAL (I am not a Lawyer) aka IMANAL
(I'm being an orifice but I'll say this) should apply to all of us,
with the rare
exception of lawyers speaking up for themselves.

-- Seth Cohn

[I just know I'll find a typo right after I submit this.... but....here
goes]

It seems to me that most software can be put to illegal use.
Certainly, Internet communications software such as email, ftp,
nntp etc can all be used to transmit content illegally (whether
'illegally' means breach of copyright, libel, fraud, pornography,
etc). The Internet is basically a system for making communication
easier, so of course it can be used for illegal communications.
So most software is dual use -- it can be used for legal and illegal
purposes.

Should people writing open source then not have anything to do
with Internet software? Of course not, that would be silly.

The only difference would be is something was only really capable of
being used for illegal purposes. But software like Freenet, Napster, or
DeCSS have plenty of legal uses, and so should be legal to develop.

As for morality, replace 'legal' with 'moral' and 'illegal' with
'immoral': Freenet etc have plenty of moral uses, so it is morally
OK to develop them.

it really doesn't matter much what we think; lawyers live in a strange
universe where all words mean different things and all decisions rest on
historical precedent and analogy to facts none of us are familliar with.

to be fair to the lawmakers though, I think many of us (programmers) are
still not quite able to take the internet and computer systems in
general seriously. maybe it's because we still think of computers as the
special toys we play with that make us unpopular with the other kids;
maybe it's because the most visible people getting rich off the net are
incomparable idiots; maybe it's because we've seen how horribly most
computers get programmed
anyway so we have no respect for existing software; but when someone
suggests that computers have any sort of extension in the real world
where we all live (most of us voluntarily) under rule of law, then we
all cry out in protest that no! no laws shall ever effect the
computer!
the internet shall forever remain the utopia of my adolescence!

it's a little naive. if computers were still a vague idea in the back of
babbage's head, ok maybe. but now, people have sunk significant amounts
of their lives, their money, their political will, etc. into computers
and the net and to a certain extent that "concretizes" the role
computers play, and subsequently concretizes the damage one can do by
screwing around with them.

I don't mean to imply that the DMCA or UCITA are good ideas, any more
than the completely insane RIP bill is a good idea; but the response I
see implicit in a lot of the arguing is the geeks saying "you can't
control what people do on the net, it's an anarchy!" and that only works
so long as everyone wants it to continue being an anarchy.
Increasingly, people don't. If (heaven forbid) someone puts a hospital
network online and some script kiddy happens to lay waste to a bunch of
embedded linux hosts which just happen to be fibrilators, a lot
of people can be pretty non-trivially affected by that.

In a case like that, honestly, a programmer who makes the
"nuke-that-embedded-linux-box-3000" netcat/bash script is in a similar
position to the morons who make assault weapons. the law does actually
prohibit making and selling certain weapons. it's not that the law is a
plot to tranquilize the citizenship into an evil one-world government,
it's that the damage one idiot can do if they get a hold of the device
is simply to great to justify the device's legality.

It really pains me to say it, but I can morally say it makes sense to me
to have certain of the programs I could potentially
write made illegal in my society by nature of the damage they could do.
Which programs, where, when, and how they are banned are issues which
the legal system is going to spend the next several years wrestling
with. Personally, I don't think you can justify banning cp or
perl because they have too many beneficial uses. But I really
think it's naive to think that the worst damage you can do anymore is
wiping out your own drive.

I'm sorry, but the author of a piece of software has no control over
how it is used. That is why they always include a disclaimer. When was
the last time you bought a screwdriver and it had a disclaimer?

There are only two parties involved in a damage case. That is the
victim and the initiator. The initiator may have used your software, or
someone elses software, but he decided to use the software that
way. You didn't go to him and even imply that the software
could be used that way. It is also the victim's job to prevent that.
Now, if the devices had an obvious security hole what the creators knew
about, then that's another story.

It all comes does the education. Education the initiator so that
(s)he won't do that. Educate the device maker to make sure all bugs are
fixed. Educate the victim to prevent things like that.

there are laws in certain countries and states that mandate that guns
*must* be carried at all times. Texas, in the U.S., is one such state.

Attempting to pass laws out of a scared-shitless reaction to potential
threat is, if you're asking me, futile, counter-productive, reduces
threat-awareness and threat-response thresholds, reduces creativity in
the development of counter-measures to threats, and generally makes for
a much less interesting and much more threat-susceptible world!

It's a bit like getting rid of the common cold: your immune system would
have nothing to do. If an accidental cold-virus outbreak occurred
twenty years after it was last "eradicated", people would die in
droves. From the common cold!

Imagine what would happen, say, if someone suggested that the
development of medicine was to be stopped, because Drugs are Dangerous,
right, and Drugs are developed by medicinal research.

Certain CDC centres across the world have the *last* remaining samples
of very specific plague viruses. Why are they not destroyed? *think*.

A much more effective method to minimise threats is mind-control. It
looks like most people think that passing laws is the way to do that
(psychological mind-control).

the central thesis here is that all people, at all times, with all
possible combinations of tools, are equally likely and capable of
causing trouble as all others.

I think that's plainly nonsense. all you need to do is look at the
numbers. people in proximity to a tool which causes damage
will, practically by brownian motion, cause damage with that tool.

that's why we regulate nuclear weapons. that's why we regulate harmful
chemicals. that's why there's road-worthyness tests and speed limits.
that's why it's the CDC and the CDC alone who has copies of
smallpox. smallpox is not left in every highschool bio lab. why not?
because the probability of someone releasing it increases with
the number of ways it's possible for them to release it. it's a
simple statistical equation -- break open your stats text if you forgot.
this is the same reason why, in canada (shameless plug) we actually have
fewer people per capita killed by firearms. because they're more tightly
regulated,
there are fewer of them just lying around in peoples' housess, so there
are fewer ways of someone
going about killing people.

why libertarian fanatics can't get this simple bit of discrete math is
beyond me. if you want the awesome feeling of personal resposibility for
life and death, join the military. if you want to work with deadly
viruses, join the CDC. if you want to write software which automatically
crashes planes, work for the FAA's internal auditing department. but
outside a safe, controlled venue, don't expect the general public to be
perfectly safe and reasonable with their decisions.

OB-On-Topic: the reason this debate breaks down into gun-control issues
is because nobody actually cares how much financial damage is done to a
company's britney spears intellectual property. this fact
should be taken separately from the issue of responsibility for the
creation of your tools. if you wrote a copy of lynx which had a
command line flag that did criminal damage, i.e. it killed
someone
when you ran it the wrong way, afaik there'd be no question whatsoever
in
common morality (and the criminal courts) that you had made something
you should not have. you are potentially an accomplice through
negligence. again though, this mixes up things we by and large don't
care much about
(civil suits over corporate intellectual property) and things we do
(criminal conviction over serious damage).

graydon, I hope you have read The Right to Read that was mentioned
in the previous article. I support the BSD copyright, but what you just proposed is exactly what that except covers. You
might as well let the government regulate computers because using computers you can steal other people's intelectual property with out
any recourse. We might as well go and join the Amish, but oh, wait a minite. The Amish have tools that can be used to kill people such
as pitch forks, guess we can't let them have those tools. Hmmmm, people might use glass shards to kill someone so we can't have any
houses having windows. The who point of the argument is the fact that legitimate tools are used incorrectly and for illegal
purposes.

Luke's point that the same people that made the laws are now taking
advantage of them by suing is interesting... Might be a good proof that
government is only a way to force some people to do what others want.

The whole question of making software 'illegal' seems to be a matter of
lawmakers... Is DeCSS illegal? I propose that it IS our
responsiblity
as computer professionals (and wannabe professionals) to refuse to allow
non-experts to make these decisions for us. And it is to us,
while
they
claim to be doing it for us.

That is, until someone creates a datahaven away from all countries
lawmakers. Any IPO rich coder wanna buy a island to start it off
with?

Right now, the whole DeCSS whack-a-mole, the proliferation of software
like Napster/Gnutella/Freenet etc is a sign that a lot of
computer
people aren't willing to let data just 'go away' cause some lawmaker
someplace tried to censor the whole net. It might be a cliche, but as a
whole, the net does tend to route around censorship, and I think it will
do so more and more and more.

If (heaven forbid) someone
puts a hospital network online and some script kiddy happens to lay
waste to a bunch of embedded linux hosts which just happen to be
fibrilators, a lot of people can be pretty non-trivially affected
by that.

I work in healthcare.

I'm far more concerned about a script kiddy
getting
into a database.

I'm far more concerned that those embedded linux
hosts
be stable enough that I could portscan them and NOT crash
them by
accident.

In a case like that, honestly, a programmer who makes the
"nuke-that-embedded-linux-box-3000" netcat/bash script is in a
similar position to the morons who make assault weapons.

Then we'll fix that embedded-linux-box. It's a little hard to fix
someone
who has been shot. I value the programmer who finds a hole: better one
who publishes than the one who keeps it quiet and sells 'deadly shell
scripts' in secret to 3 letter organizations and immoral people.

</i>
It really pains me to say it, but I can morally say it makes sense
to me to have certain of the programs I could potentially write
made illegal in my society by nature of the damage they could
do.</i>

Which programs, where, when, and how they are banned are issues
which the legal system is going to spend the next several years
wrestling with. Personally, I don't think you can justify banning
cp or perl because they have too many beneficial uses.

But maybe that is the point: the LEGAL system isn't the place
for
that sort of decision. Imagine someone hiring a Johnny Cochrane type
who
sways a jury with lines like "If the code was strict, you must
convict."

I'm sorry, but the author of a piece of software has no control
over how it is used.

Tell that to the lawyers who filed a lawsuit against Napster.
Tell that to the lawyers who filed dozens of lawsuits over DeCSS.
Tell that to the lawmakers who prevent encryption export.

When was the last time you bought a screwdriver and it had a
disclaimer?

When was the last time you read all the little print on items that told
you common sense things, like "Do Not Ingest". Those notices aren't
there
except for some lawyer who either made them do it, or told them that if
they didn't, they would be liable.

nobody actually cares how much financial damage
is done to a company's britney spears intellectual property.

That is why I said 'do something bad' to IBG... and didn't specify. Does
it matter what is done? Is there some sort of scale?

if you wrote a copy of lynx which
had a command line flag that did criminal damage

If reverse engineering is made illegal, made criminal, then a single
flag
might become just that. If saving a streamed mp3 into a non-protected
form is illegal (and some might say it is - see the RealNetworks vs
Streambox lawsuit), then lynx can almost do that now, and it would
be
a simple patch to add it.

The test that the courts will apply -- in my not entirely inexpert
opinion -- is whether the software was intended to be used to a criminal
end, and whether the software has legitimate noncriminal uses.

Guns are
legal because the gun manufacturers have no (obvious) intent that their
guns are to be used for illegal purposes, and because guns have a
legitimate noncriminal use (self-defense).
If a gun passes this test, certainly something like Perl will. Perl is
the software analog of a Swiss army knife: no criminal purpose is
intended, and a huge supply of legitimate noncriminal uses exists.

It is extremely unlikely that a software programmer will face criminal
liability for anything other than programs which on their face are
designed to be used to perpetrate crimes. Examples of this would be
credit card number generators, software specifically designed to
facilitate system intrusion, and software specifically designed to
defeat copyright licensing systems (which is a criminal offense under
the DMCA). Note that the existence of a significant noncriminal use
for the software will negate the issue. Most tools which can be used to
a criminal end (e.g., nmap) have significant noncriminal uses.

The issue of manufacturer liability for tools which have criminal uses
has been effectively settled through litigation against gun
manufacturers. Despite several efforts to prosecute gun manufacturers,
nothing has been made to stick: it is legal to manufacture guns, and gun
manufacturers are not liable for the crimes committed by those who buy
them. (There are noises that gun manufacturers may yet be held liable
for negligence in the sale and distribution of firearms. However, I
can't see this as a likely development in software, at least not until
the government requires software distributors to be licensed.) The fact
that gun manufacturers have knowledge of a significant risk that their
products will be used for criminal ends is not enough to impose
liability.

Someone raised the issue of the UCITA earlier. UCITA is one of the
biggest Chicken Littles I've seen in the free software community. Even
under UCITA, the only liability that can be imposed is the same
manufacturer liability that people have tried to stick to gunmakers --
which, as mentioned above, doesn't work. In negligence, no liability
attaches to an actor -- even if otherwise negligent -- when the damages
are attributable to a supravening cause. One case I read on this a
while back involved a tanker car which exploded due to a deliberate
arson by a third party. Despite the fact that the transportation of
flammables is a ultrahazardous activity to which strict liability
attaches as a matter of law, the tanker car company was held not liable
because the arson (a criminal act and an intentional tort) constituted a
supravening cause, and
all liability for the damages resulting therefrom attaches to the
arsonist. I can't imagine that a software author whose works are used
by a criminal third party to tortious ends to be held liable, either
criminally or civilly, unless the parties were somehow acting in
concert, or the damages occured as a result of the failure of the
software to operated as promised by the author, where the software was
used in the manner intended by the author or in circumstances which the
author could reasonably expect it to be used.

In my opinion, therefore, people who write software for legitimate,
noncriminal ends have no reasonable worry of being sued as a result of
that software being used for criminal purposes. The only people who
stand to be sued are those who deliberately flaunt the law -- as DeCSS
arguably does. And, of course, those who write buggy software and fail
to disclaim warranty, but that's a different story.

kelly put it more verbosely than I could have, having no legal
background, but of course we're not talking about richard
stallman's "right to read" article. if there's a legitimate use, then
you don't have liability. the copyright laws (that make it a greater
crime to distribute albums than to kill people) are horrendous, yet
orthogonal issues to the issue of responsibility for publishing software
which is not designed to contravene laws.

what I question is the reasoning people propose for
establishing legitimacy of the intended use. I think that there's reason
to believe that the napster authors intended napster be used to
facilitate exchange of unauthorized MP3s, and that the tribe flood
network authors intended that it be used to hose large
networks.

now, my personal intrest in these cases is essentially nil,
since I don't personally care if the companies damaged by TFN
or napster go bankrupt tomorrow. but if a similar program was
used to poison my water supply or disable the local nuclear reactors,
I'd be rightly pissed off. and I would expect any reasonable
judge/jury to examine the program and check to see exactly how it was
used. if the program has a command line switch
--shut-down-nuclear-plant, then I feel that the author of the
program has some pretty serious explaining to do.

I mean, am I the only person who lives in a country with laws? the right
to free speech does not universally extend to the right to have
all your speech-related activities go unregulated no matter how harmful
they are. why don't you leap to the defense of spies who, by speaking a
few key names and places, facilitate wars? why don't you leap to the
defense of money launderers, who are simply trying to erase some
information? or, if I break into a bank computer and try to steal all
the money from people's accounts, why, aren't I just exercizing my
freedom to speak to a computer? it's not my responsibility if
that computer happens to control money... people don't control banks,
computers do!

the problem (restated, from first response to this topic) is that most
of us refuse to grow up and take even a minute out of our days
to consider how our software will be run. we refuse to document it,
refuse to debug it, refuse to support it, and most certainly will
not be held accountable for it when it crashes, destroys property,
or commits crimes. we loathe the notion of being held
accountable for software because it is a deep cultural belief, supported
by both our community and our employers,
that we (programmers and software companies in general) must act like
fast-shootin' cowboys, adapting to any situation
with grace and in reward, living free and irresponsible. in
any
other industry, a worker with this sort of attitude would be fired.

what I think is happening is that the legal system, as well as the rest
of society as a whole, is getting sick of this image and demanding some
responsibility. the software industry senses this frustration, and is
trying to pass UCITA for precisely this reason.

Graydon's point is valid. Most of you here are probably too young to
readily remember when New Jersey proposed to require licensure of
software engineers. This is not all that outlandish: civil engineers
are subject to licensure in most if not all states. The proposal did
not go through, but if software authors continue to be as reckless and
carefree as they have in the past, it is a matter of time before
governments step in and enforce discipline in the interest of protecting
public interest. Don't count on the software industry to balk such
schemes (as it did before): every other industry has a vested interest
in having working software, or in the lieu of working software someone
to sue when the software breaks.

If I was running a major e-commerce site (like, say, eBay or E*TRADE)
I'd insist on a warranty from the manufacturer of the software I used
that made them liable for lost profits in the event their software
failed. Such a business utterly depends on the software working. An
alternative is insurance, and I imagine the big e-commerce sites do
either carry "software insurance", or else have negotiated deals with
their software providers.

While Graydon is right that much of this is cultural, there is another
contributing factor: the Microsoft monopoly. Microsoft's virtually
complete market dominance has allowed it to dictate terms, including its
waivers of liability. I assure you, VAX/VMS did not disclaim all
liability, nor did most other large software systems sold in the days
when there was a competitive market for software. Microsoft's dominance
has allowed it to make "This software may kill your cat, and we don't
care" an industry standard.

It's probably a matter of time before we start seeing mandatory
warrantees on software just as there are mandatory warrantees on many
other classes of product.

It's probably a matter of time before we start seeing mandatory warrantees on software just as there are mandatory
warrantees on many other classes of product.

Seems to be some conflict within the GPL itself with that. Yes you can add a warranty to the software:

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a
fee.

But you also cannot be forced to change the license or rights, and a key phrase of the GPL is NO WARRANTY. i.e. You cannot force
me to warranty a GPL program. If you try, you lose the right to license or distribute it at all. Thus, according the GPL, required warranty
means you cannot have the program at all.

Yes, it also says:

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
PERMITTED BY APPLICABLE LAW.

But that law might force me to warranty in which case, I can't give you the program at all.

This might be interesting if some form of UCITA requires warrantees. Similar to porn, vendors might be forced to ask location and refuse
to sell due to local community laws and standards. "Hello, Red Hat. No sir, I'm sorry, we can't sell to you if you live in Maryland."

Note that Corel did something similar with Corel Linux downloads requiring you be 18,
and I seem to recall RMS saying that was ok to do, since it was a legal requirement to enforce a contract (anyone recall the specifics
there?)

Note that the GPL says "to the extent permitted by appropriate law". If
appropriate law refuses to allow you to disclaim warrantees, then the
license does not act as a disclaimer of them. The GPL warranty
disclaimer is NOT a part of the license; it's there to protect the
author from liability lawsuits. Whether this works or not is not clear,
although under the UCITA it is more likely that a disclaimer of the sort
which is in the GPL will in fact work.

The law CAN force you to do things that the license does not force you
to do. No license is superior to the law; the law takes priority over
and determines the interpretation of licenses and contracts.

It occurs to me that sethcohn probably
don't understand exactly what the GPL does. Most people don't, it's not
at all obvious at times to those not trained in the law.

"Luke's point that the same people that made the laws are now taking
advantage of them by suing is interesting... Might be a good proof that
government is only a way to force some people to do what others want. "

Sethcon, it's not the government's fault (U.S., in this case). They
rely heavily on specialists to tell them what's at stake (having no clue
about the topic, themselves), and those specialists either did not come
forward to get this [particular] law thrown out or were not approached.

I worked for Internet Security Systems. It was sufficiently ludicrous
for us to be unable to work on identifying software that is a serious
security risk ,just because someone wants to hide behind copyright
protection, that a specialist with an invested interest in ISS lobbied
to have a clause added to allow "Security companies and Anti-Virus
companies" to do reverse-engineering for "Security Evaluation"
purposes.

I wouldn't complain about commercial software to be developed by licensed developers. The problem I have is the fact that myself as
a hobbiest (though I have done programming for work) doesn't have the monies to warantee a piece of software I give away for free. Now if
a company said I'd like a bug free version of your Fibonacci Heap code, I'd say, sure, just give me $25,000 plus 5% of the roalties of your
software and I'll give you a version that is bug free in two weeks. The whole point is the free software developers are contributing their
time
for free. As soon as you inact laws that require a person be responsible for their software, the software industry will shrink to about 5% of
what it is today because many people will stop producing software. There will then be an underground of software which is even worse
than the currently unregulated software industry.

As soon as free software starts costing money to develop, projects like Advogato will dry up and disappear. It's just a bad idea.

I have no problems with adding expenses to developing commercial software such as requiring licensed programmers. I actually
think
that this would be benifical. Then we
won't have as many problems with programs like Windows. There are way to many bad programmers out there in the world.
Some projects are better weeding out bad developers than others.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser
code is live. It needs further work but already handles most
markup better than the original parser.